We are looking to protect a certain group of elevated accounts by enforcing MFA when they RDP to our servers but want to continue to allow any and all other accounts that currently have the ability to RDP to do so without MFA. We have enabled the Microsoft RDP MFA Application and installed the credential provider on a test server. After importing our directory, we assigned the Domain Users group to the Microsoft RDP (MFA) application as a catch-all for any accounts who have the ability to RDP to a server and have enforced MFA for that particular group we want to protect. This works just fine however, local accounts are not able to RDP and get the error "Multifactor Authentication Failed" when attempted. I've come across some Okta discussions suggesting to create an Okta account and assign it to the application with the login name hostname/localaccountname however, this didn't work when tried and additionally, would mean that we would have to create hundreds of these to account for each server's hostname. We even tried a single Okta account with the sign-in name .\localaccountname but this too didn't work.

Is there a way to make it so that local accounts can bypass the Okta MFA credential provider? We don't want local accounts to have anything to do with this Okta MFA for servers deployment.